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AGENDA 
Jakarta EE 11 

Jakarta Servlet 

Jakarta Pages 
Jakarta WebSocket 

Jakarta Expression Language 
Jakarta Authentication 

Jakarta Annotations 


Tomcat specific changes 


JAKARTA EE 11 


42 individual specifications - Tomcat implements 6 
Platform specification - Tomcat implements relevant sections 
Minimum of Java 21 
No SecurityManager support 
Testing and Compatibility Kits (TCKs) are being refactored 
First milestones due end of November 


Final release June/July 2024 


JAKARTA SERVLET - 6.1 


No major changes 
Clarification 
Clean-up 


Various improvements 


JAKARTA SERVLET - HEADERS 


Calls using null for a header name will be NO-OPs 
Using null when setting a header value will remove all current values 
Calls using null when adding a header value will be NO-OPs 
The empty string is a valid value for a header 


Any method that sets a header is a NO-OP once the response is 
committed 


Align getDateHeader() and getIntHeader() with getHeader() for 
multiple values 


JAKARTA SERVLET - ASYNC 


dispatch() and complete() close non-blocking output streams 


write(), print(), println() and flush() are "write operations" 


JAKARTA SERVLET - REDIRECTS 
Status code can be specified 
Response body can be specified 


Relative redirects are allowed 


JAKARTA SERVLET - SECURITY 


Clarify that all ServletContext methods that accept a path bypass 
security constraints 


Remove sensitive HTTP headers from TRACE responses 


JAKARTA SERVLET - PARAMETERS 


Invalid parameters will always trigger an Exception 


JAKARTA SERVLET - MISCELLANEOUS | 


Update HTTP RFC references to latest versions 
HTTPS support is now mandatory 
New constants for status codes 308, 421, 422 and 426 
New request attribute jakarta.servlet.error.query_string 


Add ByteBuffer support to ServletInputStream and 
ServletOutputStream 


Charset support for setCharacterEncoding() 


JAKARTA SERVLET - MISCELLANEOUS II 


Context root mapping occurs with or without the trailing '/' 


Clarify when leading '/' is ommitted in 
HttpServletMapping.getMatchValue() 


Clarify multi-part config sizes are in bytes 
Clarify expected behaviour for CONNECT requests 


Deprecate and make optional support for HTTP/2 server push 


JAKARTA SERVLET - IN PROGRESS 


HttpSession access for WebSocket 
Require error dispatches to use GET 
Clarify behaviour of various methods for include / forward 


Support for 1xx responses - particularly early hints 


JAKARTA PAGES - 4.0 


Depreacted classes and methods have been removed 


Updated ErrorData to support the new request attribute 
jakarta.servlet.error.query_string 


JAKARTA WEBSOCKET - 2.2 


Clarifed the responsibility for sending Ping messages 


Added getSession() method to SendResult 


EXPRESSION LANGUAGE - 6.0 
Remove all deprecated classes and methods 
Dependency on JavaBeans API is now optional 


Added support for java.util.Optional via OptionalELResolver 


ANNOTATIONS - 3.0? 


ManagedBean is deprecated 


JAKARTA AUTHENTICATION - 3.1? 
TBD 


TOMCAT 11 


No major changes 
Specification / RFC updates 
Generally stricter with invalid input 
Enhancements and improvements 


32-bit Windows no longer supported (no JRE) 


TOMCAT 11 - SECURITY | 
BASIC authentication uses UTF-8 by default 
Update DIGEST auth to RFC 7616 


Documentation web application is only accessible from localhost by 
default 


Examples web application is only accessible from localhost by 
default 


TOMCAT 11 - SECURITY II 


rejectillegalHeader hard-coded to true 
allowHostHeaderMismatch hard-coded to false 


Align AJP connector handling of invalid HTTP headers with HTTP 
connector 


Added RateLimitFilter 


HTTP/2 
RFC 9218 - HTTP/2 priority frame support 


Support for server push has been removed 


VIRTUAL THREADS 


Virtual thread support - useVirtualThreads on the Connector 


Some internal refactoring 


TLS 
Log TLS cert info on startup 
Dedicated loggers for detailed TLS confguration info 
Added TLSCertificateReloadListener 


MISCELLANEAOUS 


Expose the utility executor to web applications 
Tomcat no longer sets java.protocol.handler.pkgs when starting 
Added PropertiesRoleMappingListener 
Added ContextNamingInfoListener 


Add support for loading configuration resources from the web 
application 


QUESTIONS? 


TOMCAT RESOURCES 


Web site: https://tomcat.apache.org 
Mailing lists: https://tomcat.apache.org/lists.html 
Source code: https://github.com/apache/tomcat 

Issue tracker: https://bz.apache.org/bugzilla 


Stack overflow 


THANK YOU 


